You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

credstash - retrieve secrets from Credstash on AWS¶

New in version 2.0.

Synopsis
- Requirements
Parameters
Examples
Return Values
Status
- Author

Synopsis ¶

Credstash is a small utility for managing secrets using AWS’s KMS and DynamoDB: https://github.com/fugue/credstash

Requirements ¶

The below requirements are needed on the local master node that executes this lookup.

credstash (python library)

Parameters ¶

Parameter	Choices/Defaults	Configuration	Comments
_terms list required			term or list of terms to lookup in the credit store
aws_access_key_id		env:AWS_ACCESS_KEY_ID	AWS access key ID
aws_secret_access_key		env:AWS_SECRET_ACCESS_KEY	AWS access key
aws_session_token		env:AWS_SESSION_TOKEN	AWS session token
profile_name		env:AWS_PROFILE	AWS profile to use for authentication
region			AWS region
table required	Default: "credential-store"		name of the credstash table to query
version			Credstash version

Examples ¶

- name: first use credstash to store your secrets
  shell: credstash put my-github-password secure123

- name: "Test credstash lookup plugin -- get my github password"
  debug: msg="Credstash lookup! {{ lookup('credstash', 'my-github-password') }}"

- name: "Test credstash lookup plugin -- get my other password from us-west-1"
  debug: msg="Credstash lookup! {{ lookup('credstash', 'my-other-password', region='us-west-1') }}"

- name: "Test credstash lookup plugin -- get the company's github password"
  debug: msg="Credstash lookup! {{ lookup('credstash', 'company-github-password', table='company-passwords') }}"

- name: Example play using the 'context' feature
  hosts: localhost
  vars:
    context:
      app: my_app
      environment: production
  tasks:

  - name: "Test credstash lookup plugin -- get the password with a context passed as a variable"
    debug: msg="{{ lookup('credstash', 'some-password', context=context) }}"

  - name: "Test credstash lookup plugin -- get the password with a context defined here"
    debug: msg="{{ lookup('credstash', 'some-password', context=dict(app='my_app', environment='production')) }}"

Return Values ¶

Common return values are documented here, the following are the fields unique to this lookup:

Key	Returned	Description
_raw		value(s) stored in Credstash

Status ¶

Author ¶

UNKNOWN

Hint

If you notice any issues in this documentation you can edit this document to improve it.